It’s a serious oversight that GoHighLevel currently allows user email addresses to be changed without any security controls, such as verification, approval workflows, or restriction policies. This presents several significant risks:

1/ Identity Hijacking & Impersonation

Without controls, a user could change their email address to impersonate another individual within the system (e.g. a support or executive alias), enabling unauthorized access, manipulation of communications, or reputational damage.

2/ Lack of Audit Trail Integrity

When email addresses are freely editable, tracking activity back to a specific person becomes unreliable. This undermines accountability and complicates forensic analysis in the event of a breach or dispute.

3/ Violation of Cybersecurity Standards

Allowing unrestricted changes violates fundamental cybersecurity practices outlined in frameworks such as ISO 27001, NIST, and the Australian Essential Eight. Email addresses should be treated as identity-linked credentials and require strict change controls.

4/ Increased Risk of Phishing and Social Engineering

Malicious actors or compromised accounts could exploit this loophole to mimic official system email addresses (e.g. support@ or billing@), increasing the risk of internal phishing or social engineering attacks.

5/ Failure to Meet Ethical and Legal Obligations

Platforms handling sensitive user or customer data have a responsibility to enforce minimum security standards. Allowing unrestricted identity changes could expose clients to legal liabilities under data protection regulations (e.g. GDPR, Australian Privacy Act).

Recommended Fix:

GoHighLevel should implement an allowlist for trusted email domains/addresses permitted for use as aliases or support emails. Any changes to a user’s primary email address should trigger:

This issue requires urgent attention to maintain trust, safeguard users, and comply with modern cybersecurity expectations.

Turns out, there’s no built-in “lock” or toggle that prevents users from changing the “From” name and email—they can still impersonate another address when composing emails. This is by design to allow “masking” or “alias” senders, but it also causes spoofing... This is a security risk that must have have a setting to turn it off or on - or set a user level!

Yes, and the default email in the conversation tab is the user's account email instead of the sub-account's connected email, so if the user is part of an agency the email sent to the client's lead would be yourname@agency.com which seems like a scam and would put them off